Code reviews of the ed25519-zebra crate // Lib.rs

These reviews are from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.

4.0.3 — diff review from 4.0.0 only (current) safe-to-deploy, crypto-reviewed

From zcash/rust-ecosystem copy of zcash/zcash. By Jack Grigg.

SigningKey::from([u8; 32]) parsing now uses Scalar::from_bytes_mod_order instead of Scalar::from_bits. This means that the clamped scalar bits are now reduced before they are used, which removes the implicit mul-by-cofactor during scalar multiplication (as the last 3 bits of the scalar are no longer guaranteed to be zero). However, this happens to be fine in the context of this crate:

SigningKey does not expose its inner Scalar directly, so we only need to consider how it is used within the crate.
For multiplication within a prime-order (sub)group, we get the same result whether we reduce before or not. This means that the field-element multiplication during signing, and the prime-order subgroup component of any group-element scalar multiplication, are unaffected.
The only group element that the Scalar is multiplied by is the Ed25519 basepoint, which is torsion free (so the implicit mul-by-cofactor is unnecessary).

The current version of ed25519-zebra is 4.0.3.

4.0.0 — diff review from 3.1.0 only (older version) safe-to-deploy

From zcash/rust-ecosystem copy of zcash/zcash. By Daira-Emma Hopwood.

Changes are mainly in the pem and pkcs8 features and in Java or Scala code. These do not introduce unsafe code, but I cannot vouch for their cryptographic correctness or conformance to PEM or PKCS8 standards. I reviewed the remaining changes from 3.1.0 to 4.0.0 fully.

3.1.0 — diff review from 3.0.0 only (older version) safe-to-deploy

From zcash/rust-ecosystem copy of zcash/zcash. Audited without comment by Jack Grigg.

cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.

safe-to-deploy (implies safe-to-run)

This crate will not introduce a serious security vulnerability to production software exposed to untrusted input. More…

safe-to-run

Implied by other criteria

This crate can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences. More…

crypto-reviewed

The cryptographic code in this crate has been reviewed for correctness by a member of a designated set of cryptography experts within the project.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open ed25519-zebra. Alternatively, you can download the tarball of ed25519-zebra v4.0.3 or view the source online.